< draft-ietf-dprive-dnsoquic-05.txt   draft-ietf-dprive-dnsoquic-06.txt >
Network Working Group C. Huitema Network Working Group C. Huitema
Internet-Draft Private Octopus Inc. Internet-Draft Private Octopus Inc.
Intended status: Standards Track S. Dickinson Intended status: Standards Track S. Dickinson
Expires: 14 April 2022 Sinodun IT Expires: 23 April 2022 Sinodun IT
A. Mankin A. Mankin
Salesforce Salesforce
11 October 2021 20 October 2021
DNS over Dedicated QUIC Connections DNS over Dedicated QUIC Connections
draft-ietf-dprive-dnsoquic-05 draft-ietf-dprive-dnsoquic-06
Abstract Abstract
This document describes the use of QUIC to provide transport privacy This document describes the use of QUIC to provide transport privacy
for DNS. The encryption provided by QUIC has similar properties to for DNS. The encryption provided by QUIC has similar properties to
that provided by TLS, while QUIC transport eliminates the head-of- that provided by TLS, while QUIC transport eliminates the head-of-
line blocking issues inherent with TCP and provides more efficient line blocking issues inherent with TCP and provides more efficient
error corrections than UDP. DNS over QUIC (DoQ) has privacy packet loss recovery than UDP. DNS over QUIC (DoQ) has privacy
properties similar to DNS over TLS (DoT) specified in RFC7858, and properties similar to DNS over TLS (DoT) specified in RFC7858, and
latency characteristics similar to classic DNS over UDP. latency characteristics similar to classic DNS over UDP.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 14 April 2022. This Internet-Draft will expire on 23 April 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 29 skipping to change at page 2, line 29
5. Specifications . . . . . . . . . . . . . . . . . . . . . . . 6 5. Specifications . . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Connection Establishment . . . . . . . . . . . . . . . . 6 5.1. Connection Establishment . . . . . . . . . . . . . . . . 6
5.1.1. Draft Version Identification . . . . . . . . . . . . 6 5.1.1. Draft Version Identification . . . . . . . . . . . . 6
5.1.2. Port Selection . . . . . . . . . . . . . . . . . . . 7 5.1.2. Port Selection . . . . . . . . . . . . . . . . . . . 7
5.2. Stream Mapping and Usage . . . . . . . . . . . . . . . . 7 5.2. Stream Mapping and Usage . . . . . . . . . . . . . . . . 7
5.2.1. DNS Message IDs . . . . . . . . . . . . . . . . . . . 8 5.2.1. DNS Message IDs . . . . . . . . . . . . . . . . . . . 8
5.3. DoQ Error Codes . . . . . . . . . . . . . . . . . . . . . 8 5.3. DoQ Error Codes . . . . . . . . . . . . . . . . . . . . . 8
5.3.1. Transaction Cancellation . . . . . . . . . . . . . . 9 5.3.1. Transaction Cancellation . . . . . . . . . . . . . . 9
5.3.2. Transaction Errors . . . . . . . . . . . . . . . . . 9 5.3.2. Transaction Errors . . . . . . . . . . . . . . . . . 9
5.3.3. Protocol Errors . . . . . . . . . . . . . . . . . . . 10 5.3.3. Protocol Errors . . . . . . . . . . . . . . . . . . . 10
5.4. Connection Management . . . . . . . . . . . . . . . . . . 10 5.3.4. Alternative error codes . . . . . . . . . . . . . . . 11
5.5. Session Resumption and 0-RTT . . . . . . . . . . . . . . 11 5.4. Connection Management . . . . . . . . . . . . . . . . . . 11
5.5. Session Resumption and 0-RTT . . . . . . . . . . . . . . 12
5.6. Message Sizes . . . . . . . . . . . . . . . . . . . . . . 12 5.6. Message Sizes . . . . . . . . . . . . . . . . . . . . . . 12
6. Implementation Requirements . . . . . . . . . . . . . . . . . 12 6. Implementation Requirements . . . . . . . . . . . . . . . . . 13
6.1. Authentication . . . . . . . . . . . . . . . . . . . . . 12 6.1. Authentication . . . . . . . . . . . . . . . . . . . . . 13
6.2. Fall Back to Other Protocols on Connection Failure . . . 13 6.2. Fallback to Other Protocols on Connection Failure . . . . 13
6.3. Address Validation . . . . . . . . . . . . . . . . . . . 13 6.3. Address Validation . . . . . . . . . . . . . . . . . . . 13
6.4. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.4. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.5. Connection Handling . . . . . . . . . . . . . . . . . . . 14 6.5. Connection Handling . . . . . . . . . . . . . . . . . . . 15
6.5.1. Connection Reuse . . . . . . . . . . . . . . . . . . 14 6.5.1. Connection Reuse . . . . . . . . . . . . . . . . . . 15
6.5.2. Resource Management and Idle Timeout Values . . . . . 14 6.5.2. Resource Management . . . . . . . . . . . . . . . . . 15
6.5.3. Using 0-RTT and Session Resumption . . . . . . . . . 15 6.5.3. Using 0-RTT and Session Resumption . . . . . . . . . 16
6.6. Processing Queries in Parallel . . . . . . . . . . . . . 16 6.5.4. Controlling Connection Migration For Privacy . . . . 16
6.7. Zone transfer . . . . . . . . . . . . . . . . . . . . . . 16 6.6. Processing Queries in Parallel . . . . . . . . . . . . . 17
6.8. Flow Control Mechanisms . . . . . . . . . . . . . . . . . 16 6.7. Zone transfer . . . . . . . . . . . . . . . . . . . . . . 17
7. Implementation Status . . . . . . . . . . . . . . . . . . . . 17 6.8. Flow Control Mechanisms . . . . . . . . . . . . . . . . . 17
7.1. Performance Measurements . . . . . . . . . . . . . . . . 18 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 18
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 7.1. Performance Measurements . . . . . . . . . . . . . . . . 19
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19
9.1. Privacy Issues With 0-RTT data . . . . . . . . . . . . . 19 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 19
9.1. Privacy Issues With 0-RTT data . . . . . . . . . . . . . 20
9.2. Privacy Issues With Session Resumption . . . . . . . . . 20 9.2. Privacy Issues With Session Resumption . . . . . . . . . 20
9.3. Privacy Issues With New Tokens . . . . . . . . . . . . . 20 9.3. Privacy Issues With Address Validation Tokens . . . . . . 21
9.4. Traffic Analysis . . . . . . . . . . . . . . . . . . . . 21 9.4. Privacy Issues With Long Duration Sessions . . . . . . . 22
9.5. Traffic Analysis . . . . . . . . . . . . . . . . . . . . 22
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
10.1. Registration of DoQ Identification String . . . . . . . 21 10.1. Registration of DoQ Identification String . . . . . . . 22
10.2. Reservation of Dedicated Port . . . . . . . . . . . . . 21 10.2. Reservation of Dedicated Port . . . . . . . . . . . . . 23
10.2.1. Port number 784 for experimentations . . . . . . . . 22 10.2.1. Port number 784 for experimentations . . . . . . . . 23
10.3. Reservation of Extended DNS Error Code Too Early . . . . 22 10.3. Reservation of Extended DNS Error Code Too Early . . . . 23
10.4. DNS over QUIC Error Codes Registry . . . . . . . . . . . 22 10.4. DNS over QUIC Error Codes Registry . . . . . . . . . . . 24
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 25
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
12.1. Normative References . . . . . . . . . . . . . . . . . . 24 12.1. Normative References . . . . . . . . . . . . . . . . . . 26
12.2. Informative References . . . . . . . . . . . . . . . . . 26 12.2. Informative References . . . . . . . . . . . . . . . . . 28
Appendix A. The NOTIFY service . . . . . . . . . . . . . . . . . 28 Appendix A. The NOTIFY Service . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 Appendix B. Notable Changes From Previous Versions . . . . . . . 30
B.1. Stream Mapping Incompatibility With Draft-02 . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
Domain Name System (DNS) concepts are specified in "Domain names - Domain Name System (DNS) concepts are specified in "Domain names -
concepts and facilities" [RFC1034]. The transmission of DNS queries concepts and facilities" [RFC1034]. The transmission of DNS queries
and responses over UDP and TCP is specified in "Domain names - and responses over UDP and TCP is specified in "Domain names -
implementation and specification" [RFC1035]. This document presents implementation and specification" [RFC1035].
a mapping of the DNS protocol over the QUIC transport [RFC9000]
[RFC9001]. DNS over QUIC is referred here as DoQ, in line with "DNS This document presents a mapping of the DNS protocol over the QUIC
Terminology" [I-D.ietf-dnsop-rfc8499bis]. The goals of the DoQ transport [RFC9000] [RFC9001]. DNS over QUIC is referred here as
mapping are: DoQ, in line with "DNS Terminology" [I-D.ietf-dnsop-rfc8499bis].
The goals of the DoQ mapping are:
1. Provide the same DNS privacy protection as DNS over TLS (DoT) 1. Provide the same DNS privacy protection as DNS over TLS (DoT)
[RFC7858]. This includes an option for the client to [RFC7858]. This includes an option for the client to
authenticate the server by means of an authentication domain name authenticate the server by means of an authentication domain name
as specified in "Usage Profiles for DNS over TLS and DNS over as specified in "Usage Profiles for DNS over TLS and DNS over
DTLS" [RFC8310]. DTLS" [RFC8310].
2. Provide an improved level of source address validation for DNS 2. Provide an improved level of source address validation for DNS
servers compared to classic DNS over UDP. servers compared to classic DNS over UDP.
3. Provide a transport that is not constrained by path MTU 3. Provide a transport that is not constrained by path MTU
limitations on the size of DNS responses it can send. limitations on the size of DNS responses it can send.
4. Explore the characteristics of using QUIC as a DNS transport,
versus other solutions like DNS over UDP [RFC1035], DNS over TLS
(DoT) [RFC7858], or DNS over HTTPS (DoH) [RFC8484].
In order to achieve these goals, and to support ongoing work on In order to achieve these goals, and to support ongoing work on
encryption of DNS, the scope of this document includes encryption of DNS, the scope of this document includes
* the "stub to recursive resolver" scenario * the "stub to recursive resolver" scenario
* the "recursive resolver to authoritative nameserver" scenario and * the "recursive resolver to authoritative nameserver" scenario and
* the "nameserver to nameserver" scenario (mainly used for zone * the "nameserver to nameserver" scenario (mainly used for zone
transfers (XFR) [RFC1995], [RFC5936]). transfers (XFR) [RFC1995], [RFC5936]).
In other words, this document is intended to specify QUIC as a In other words, this document is intended to specify QUIC as a
general purpose transport for DNS. general purpose transport for DNS.
The specific non-goals of this document are: The specific non-goals of this document are:
1. No attempt is made to evade potential blocking of DNS over QUIC 1. No attempt is made to evade potential blocking of DNS over QUIC
traffic by middleboxes. traffic by middleboxes.
skipping to change at page 5, line 23 skipping to change at page 5, line 23
QUIC connection setup includes the negotiation of security parameters QUIC connection setup includes the negotiation of security parameters
using TLS, as specified in "Using TLS to Secure QUIC" [RFC9001], using TLS, as specified in "Using TLS to Secure QUIC" [RFC9001],
enabling encryption of the QUIC transport. Transmitting DNS messages enabling encryption of the QUIC transport. Transmitting DNS messages
over QUIC will provide essentially the same privacy protections as over QUIC will provide essentially the same privacy protections as
DoT [RFC7858] including Strict and Opportunistic Usage Profiles DoT [RFC7858] including Strict and Opportunistic Usage Profiles
[RFC8310]. Further discussion on this is provided in Section 9. [RFC8310]. Further discussion on this is provided in Section 9.
4.2. Design for Minimum Latency 4.2. Design for Minimum Latency
QUIC is specifically designed to reduce the delay between HTTP QUIC is specifically designed to reduce protocol-induced delays, with
queries and HTTP responses. This is achieved through three main features such as:
components:
1. Support for 0-RTT data during session resumption. 1. Support for 0-RTT data during session resumption.
2. Support for advanced error recovery procedures as specified in 2. Support for advanced packet loss recovery procedures as specified
"QUIC Loss Detection and Congestion Control" [RFC9002]. in "QUIC Loss Detection and Congestion Control" [RFC9002].
3. Mitigation of head-of-line blocking by allowing parallel delivery 3. Mitigation of head-of-line blocking by allowing parallel delivery
of data on multiple streams. of data on multiple streams.
This mapping of DNS to QUIC will take advantage of these features in This mapping of DNS to QUIC will take advantage of these features in
three ways: three ways:
1. Optional support for sending 0-RTT data during session resumption 1. Optional support for sending 0-RTT data during session resumption
(the security and privacy implications of this are discussed in (the security and privacy implications of this are discussed in
later sections). later sections).
2. Long-lived QUIC connections over which multiple DNS transactions 2. Long-lived QUIC connections over which multiple DNS transactions
are performed, generating the sustained traffic required to are performed, generating the sustained traffic required to
benefit from advanced recovery features. benefit from advanced recovery features.
3. Fast resumption of QUIC connections to manage the disconnect-on- 3. Mapping of each DNS Query/Response transaction to a separate
idle feature of QUIC without incurring retransmission time-outs.
4. Mapping of each DNS Query/Response transaction to a separate
stream, to mitigate head-of-line blocking. This enables servers stream, to mitigate head-of-line blocking. This enables servers
to respond to queries "out of order". It also enables clients to to respond to queries "out of order". It also enables clients to
process responses as soon as they arrive, without having to wait process responses as soon as they arrive, without having to wait
for in order delivery of responses previously posted by the for in order delivery of responses previously posted by the
server. server.
These considerations will be reflected in the mapping of DNS traffic These considerations are reflected in the mapping of DNS traffic to
to QUIC streams in Section 5.2. QUIC streams in Section 5.2.
4.3. No Specific Middlebox Bypass Mechanism 4.3. No Specific Middlebox Bypass Mechanism
The mapping of DoQ is defined for minimal overhead and maximum The mapping of DoQ is defined for minimal overhead and maximum
performance. This means a different traffic profile than HTTP3 over performance. This means a different traffic profile than HTTP3 over
QUIC. This difference can be noted by firewalls and middleboxes. QUIC. This difference can be noted by firewalls and middleboxes.
There may be environments in which HTTP3 over QUIC will be able to There may be environments in which HTTP3 over QUIC will be able to
pass through, but DoQ will be blocked by these middle boxes. pass through, but DoQ will be blocked by these middle boxes.
4.4. No Server Initiated Transactions 4.4. No Server Initiated Transactions
As stated in Section 1, this document does not specify support for As stated in Section 1, this document does not specify support for
server initiated transactions within established DoQ connections. server initiated transactions within established DoQ connections.
That is, only the initiator of the DoQ connection may send queries That is, only the initiator of the DoQ connection may send queries
over the connection. over the connection.
DSO supports server-initiated transactions within existing DSO does support server-initiated transactions within existing
connections, however DSO is not applicable to DNS over HTTP since connections. However DoQ as defined here does not meet the criteria
HTTP has its own mechanism for managing sessions, and this is for an applicable transport for DSO because it does not guarantee in-
incompatible with the DSO; the same is true for DoQ. order delivery of messages, see Section 4.2 of [RFC8490].
5. Specifications 5. Specifications
5.1. Connection Establishment 5.1. Connection Establishment
DoQ connections are established as described in the QUIC transport DoQ connections are established as described in the QUIC transport
specification [RFC9000]. During connection establishment, DoQ specification [RFC9000]. During connection establishment, DoQ
support is indicated by selecting the ALPN token "doq" in the crypto support is indicated by selecting the ALPN token "doq" in the crypto
handshake. handshake.
skipping to change at page 7, line 14 skipping to change at page 7, line 9
Implementations of draft versions of the protocol MUST add the string Implementations of draft versions of the protocol MUST add the string
"-" and the corresponding draft number to the identifier. For "-" and the corresponding draft number to the identifier. For
example, draft-ietf-dprive-dnsoquic-00 is identified using the string example, draft-ietf-dprive-dnsoquic-00 is identified using the string
"doq-i00". "doq-i00".
5.1.2. Port Selection 5.1.2. Port Selection
By default, a DNS server that supports DoQ MUST listen for and accept By default, a DNS server that supports DoQ MUST listen for and accept
QUIC connections on the dedicated UDP port TBD (number to be defined QUIC connections on the dedicated UDP port TBD (number to be defined
in Section 10), unless it has mutual agreement with its clients to in Section 10), unless there is a mutual agreement to use another
use a port other than TBD for DoQ. In order to use a port other than port.
TBD, both clients and servers would need a configuration option in
their software.
By default, a DNS client desiring to use DoQ with a particular server By default, a DNS client desiring to use DoQ with a particular server
MUST establish a QUIC connection to UDP port TBD on the server, MUST establish a QUIC connection to UDP port TBD on the server,
unless it has mutual agreement with its server to use a port other unless there is a mutual agreement to use another port.
than port TBD for DoQ. Such another port MUST NOT be port 53. This
recommendation against use of port 53 for DoQ is to avoid confusion In order to use a port other than TBD, both clients and servers would
between DoQ and the use of DNS over UDP [RFC1035]. need a configuration option in their software.
DoQ connections MUST NOT use UDP port 53. This recommendation
against use of port 53 for DoQ is to avoid confusion between DoQ and
the use of DNS over UDP [RFC1035].
In the stub to recursive scenario, the use of port 443 as a mutually In the stub to recursive scenario, the use of port 443 as a mutually
agreed alternative port can be operationally beneficial, since port agreed alternative port can be operationally beneficial, since port
443 is less likely to be blocked than other ports. Several 443 is less likely to be blocked than other ports. Several
mechanisms for stubs to discover recursives offering encrypted mechanisms for stubs to discover recursives offering encrypted
transports, including the use of custom ports, are the subject of transports, including the use of custom ports, are the subject of
work in the ADD working group. ongoing work.
5.2. Stream Mapping and Usage 5.2. Stream Mapping and Usage
The mapping of DNS traffic over QUIC streams takes advantage of the The mapping of DNS traffic over QUIC streams takes advantage of the
QUIC stream features detailed in Section 2 of the QUIC transport QUIC stream features detailed in Section 2 of [RFC9000], the QUIC
specification [RFC9000]. transport specification.
DNS traffic follows a simple pattern in which the client sends a DNS traffic follows a simple pattern in which the client sends a
query, and the server provides one or more responses (multiple can query, and the server provides one or more responses (multiple
responses occur in zone transfers). responses can occur in zone transfers).
The mapping specified here requires that the client selects a The mapping specified here requires that the client selects a
separate QUIC stream for each query. The server then uses the same separate QUIC stream for each query. The server then uses the same
stream to provide all the response messages for that query. In order stream to provide all the response messages for that query. In order
that multiple responses can be parsed, a 2-octet length field is used that multiple responses can be parsed, a 2-octet length field is used
in exactly the same way as the 2-octet length field defined for DNS in exactly the same way as the 2-octet length field defined for DNS
over TCP [RFC1035]. The practical result of this is that the content over TCP [RFC1035]. The practical result of this is that the content
of each QUIC stream is exactly the same as the content of a TCP of each QUIC stream is exactly the same as the content of a TCP
connection that would manage exactly one query. connection that would manage exactly one query.
skipping to change at page 8, line 25 skipping to change at page 8, line 21
be sent on that stream. be sent on that stream.
The server MUST send the response(s) on the same stream and MUST The server MUST send the response(s) on the same stream and MUST
indicate, after the last response, through the STREAM FIN mechanism indicate, after the last response, through the STREAM FIN mechanism
that no further data will be sent on that stream. that no further data will be sent on that stream.
Therefore, a single client initiated DNS transaction consumes a Therefore, a single client initiated DNS transaction consumes a
single stream. This means that the client's first query occurs on single stream. This means that the client's first query occurs on
QUIC stream 0, the second on 4, and so on. QUIC stream 0, the second on 4, and so on.
For completeness it is noted that versions prior to -02 of this Servers MAY defer processing of a query until the STREAM FIN has been
specification proposed a simpler mapping scheme which omitted the 2 indicated on the stream selected by the client. Servers and clients
byte length field and supported only a single response on a given MAY monitor the number of "dangling" streams for which the expected
stream. The more complex mapping above was adopted to specifically queries or responses have been received but not the STREAM FIN.
cater for XFR support, however it breaks compatibility with earlier Implementations MAY impose a limit on the number of such dangling
versions. streams. If limits are encountered, implementations MAY close the
connection.
5.2.1. DNS Message IDs 5.2.1. DNS Message IDs
When sending queries over a QUIC connection, the DNS Message ID MUST When sending queries over a QUIC connection, the DNS Message ID MUST
be set to zero. be set to zero.
It is noted that this has implications for proxying DoQ message to This has implications for proxying DoQ message to and from other
other transports in that a mapping of some form must be performed transports. For example, proxies may have to manage the fact that
(e.g., from DoQ connection/stream to unique Message ID). DoQ can support a larger number of outstanding queries on a single
connection than e.g., DNS over TCP because DoQ is not limited by the
Message ID space.
When forwarding a DNS message from DoQ over another transport, a DNS
Message ID MUST be generated according to the rules of the protocol
that is in use. When forwarding a DNS message from another transport
over DoQ, the Message ID MUST be set to zero.
5.3. DoQ Error Codes 5.3. DoQ Error Codes
The following error codes are defined for use when abruptly The following error codes are defined for use when abruptly
terminating streams, aborting reading of streams, or immediately terminating streams, aborting reading of streams, or immediately
closing connections: closing connections:
DOQ_NO_ERROR (0x00): No error. This is used when the connection or DOQ_NO_ERROR (0x0): No error. This is used when the connection or
stream needs to be closed, but there is no error to signal. stream needs to be closed, but there is no error to signal.
DOQ_INTERNAL_ERROR (0x01): The DoQ implementation encountered an DOQ_INTERNAL_ERROR (0x1): The DoQ implementation encountered an
internal error and is incapable of pursuing the transaction or the internal error and is incapable of pursuing the transaction or the
connection. connection.
DOQ_PROTOCOL_ERROR (0x02): The DoQ implementation encountered an DOQ_PROTOCOL_ERROR (0x2): The DoQ implementation encountered an
protocol error and is forcibly aborting the connection. protocol error and is forcibly aborting the connection.
DOQ_REQUEST_CANCELLED (0x03): A DoQ client uses this to signal that DOQ_REQUEST_CANCELLED (0x3): A DoQ client uses this to signal that
it wants to cancel an outstanding transaction. it wants to cancel an outstanding transaction.
DOQ_EXCESSIVE_LOAD (0x4): A DoQ implementation uses this to signal
when closing a connection due to excessive load.
DOQ_ERROR_RESERVED (0xd098ea5e): Alternative error code used for
tests.
See Section 10.4 for details on registering new error codes. See Section 10.4 for details on registering new error codes.
5.3.1. Transaction Cancellation 5.3.1. Transaction Cancellation
In QUIC, sending STOP_SENDING requests that a peer cease transmission In QUIC, sending STOP_SENDING requests that a peer cease transmission
on a stream. If a DoQ client wishes to cancel an outstanding on a stream. If a DoQ client wishes to cancel an outstanding
request, it MUST issue a QUIC Stop Sending with error code request, it MUST issue a QUIC Stop Sending with error code
DOQ_REQUEST_CANCELLED. This may be sent at any time but will be DOQ_REQUEST_CANCELLED. This may be sent at any time but will be
ignored if the server has already sent the response. The ignored if the server has already sent the response. The
corresponding DNS transaction MUST be abandoned. corresponding DNS transaction MUST be abandoned.
A server that receives STOP_SENDING MUST issue a RESET_STREAM with Servers that receive STOP_SENDING act in accordance with Section 3.5
error code DOQ_REQUEST_CANCELLED, unless it has already sent a of [RFC9000]. Servers MAY impose implementation limits on the total
complete response in which case it MAY ignore the STOP_SENDING number or rate of request cancellations. If limits are encountered,
request. Servers MAY limit the number of DOQ_REQUEST_CANCELLED servers MAY close the connection. In this case, servers wanting to
errors received on a connection before choosing to close the help client debugging MAY use the error code DOQ_EXCESSIVE_LOAD.
connection. There is always a trade-off between helping good faith clients debug
issues and allowing denial-of-service attackers to test server
defenses, so depending on circumstances servers might very well chose
to send different error codes.
Note that this mechanism provides a way for secondaries to cancel a Note that this mechanism provides a way for secondaries to cancel a
single zone transfer occurring on a given stream without having to single zone transfer occurring on a given stream without having to
close the QUIC connection. close the QUIC connection.
5.3.2. Transaction Errors 5.3.2. Transaction Errors
Servers normally complete transactions by sending a DNS response (or Servers normally complete transactions by sending a DNS response (or
responses) on the transaction's stream, including cases where the DNS responses) on the transaction's stream, including cases where the DNS
response indicates a DNS error. For example, a Server Failure response indicates a DNS error. For example, a Server Failure
(SERVFAIL, [RFC1035]) SHOULD be notified to the client by sending (SERVFAIL, [RFC1035]) SHOULD be notified to the client by sending
back a response with the Response Code set to SERVFAIL. back a response with the Response Code set to SERVFAIL.
If a server is incapable of sending a DNS response due to an internal If a server is incapable of sending a DNS response due to an internal
error, it SHOULD issue a QUIC Stream Reset with error code error, it SHOULD issue a QUIC Stream Reset. The error code SHOULD be
DOQ_INTERNAL_ERROR. The corresponding DNS transaction MUST be set to DOQ_INTERNAL_ERROR. The corresponding DNS transaction MUST be
abandoned. Clients MAY limit the number of unsolicited QUIC Stream abandoned. Clients MAY limit the number of unsolicited QUIC Stream
Resets received on a connection before choosing to close the Resets received on a connection before choosing to close the
connection. connection.
Note that this mechanism provides a way for primaries to abort a Note that this mechanism provides a way for primaries to abort a
single zone transfer occurring on a given stream without having to single zone transfer occurring on a given stream without having to
close the QUIC connection. close the QUIC connection.
5.3.3. Protocol Errors 5.3.3. Protocol Errors
skipping to change at page 10, line 26 skipping to change at page 10, line 37
* a client receives a STREAM FIN before receiving all the expected * a client receives a STREAM FIN before receiving all the expected
responses responses
* a server receives more than one query on a stream * a server receives more than one query on a stream
* a client receives a different number of responses on a stream than * a client receives a different number of responses on a stream than
expected (e.g. multiple responses to a query for an A record) expected (e.g. multiple responses to a query for an A record)
* a client receives a STOP_SENDING request * a client receives a STOP_SENDING request
* the client or server does not indicate the expected STREAM FIN
after sending requests or responses (see Section 5.2).
* an implementation receives a message containing the edns-tcp- * an implementation receives a message containing the edns-tcp-
keepalive EDNS(0) Option [RFC7828] (see Section 6.5.2) keepalive EDNS(0) Option [RFC7828] (see Section 6.5.2)
* a client or a server attempts to open an unidirectional QUIC
stream
* a server attempts to open a server-initiated bidirectional QUIC
stream
If a peer encounters such an error condition it is considered a fatal If a peer encounters such an error condition it is considered a fatal
error. It SHOULD forcibly abort the connection using QUIC's error. It SHOULD forcibly abort the connection using QUIC's
CONNECTION_CLOSE mechanism, and use the DoQ error code CONNECTION_CLOSE mechanism, and SHOULD use the DoQ error code
DOQ_PROTCOL_ERROR. DOQ_PROTOCOL_ERROR.
It is noted that the restrictions on use of the above EDNS(0) options It is noted that the restrictions on use of the above EDNS(0) options
has implications for proxying message from TCP/DoT/DoH over DoQ. has implications for proxying message from TCP/DoT/DoH over DoQ.
5.3.4. Alternative error codes
This specification suggests specific error codes Section 5.3.1,
Section 5.3.2, and Section 5.3.3. These error codes are meant to
facilitates investigation of failures and other incidents. New error
codes may be defined in future versions of DoQ, or registered as
specified in Section 10.4.
Because new error codes can be defined without negotiation, use of an
error code in an unexpected context or receipt of an unknown error
code MUST be treated as equivalent to DOQ_NO_ERROR.
Implementations MAY wish to test the support for the error code
extension mechanism by using error codes not listed in this document,
or they MAY use DOQ_ERROR_RESERVED.
5.4. Connection Management 5.4. Connection Management
Section 10 of the QUIC transport specification [RFC9000] specifies Section 10 of [RFC9000], the QUIC transport specification, specifies
that connections can be closed in three ways: that connections can be closed in three ways:
* idle timeout * idle timeout
* immediate close * immediate close
* stateless reset * stateless reset
Clients and servers implementing DoQ SHOULD negotiate use of the idle Clients and servers implementing DoQ SHOULD negotiate use of the idle
timeout. Closing on idle timeout is done without any packet timeout. Closing on idle timeout is done without any packet
exchange, which minimizes protocol overhead. Per section 10.1 of the exchange, which minimizes protocol overhead. Per Section 10.1 of
QUIC transport specification, the effective value of the idle timeout [RFC9000], the QUIC transport specification, the effective value of
is computed as the minimum of the values advertised by the two the idle timeout is computed as the minimum of the values advertised
endpoints. Practical considerations on setting the idle timeout are by the two endpoints. Practical considerations on setting the idle
discussed in Section 6.5.2. timeout are discussed in Section 6.5.2.
Clients SHOULD monitor the idle time incurred on their connection to Clients SHOULD monitor the idle time incurred on their connection to
the server, defined by the time spent since the last packet from the the server, defined by the time spent since the last packet from the
server has been received. When a client prepares to send a new DNS server has been received. When a client prepares to send a new DNS
query to the server, it will check whether the idle time is query to the server, it will check whether the idle time is
sufficient lower than the idle timer. If it is, the client will send sufficient lower than the idle timer. If it is, the client will send
the DNS query over the existing connection. If not, the client will the DNS query over the existing connection. If not, the client will
establish a new connection and send the query over that connection. establish a new connection and send the query over that connection.
Clients MAY discard their connection to the server before the idle Clients MAY discard their connections to the server before the idle
timeout expires. If they do that, they SHOULD close the connection timeout expires. A client that has outstanding queries SHOULD close
explicitly, using QUIC's CONNECTION_CLOSE mechanism, and use the DoQ the connection explicitly using QUIC's CONNECTION_CLOSE mechanism and
error code DOQ_NO_ERROR. the DoQ error code DOQ_NO_ERROR.
Clients and servers MAY close the connection for a variety of other Clients and servers MAY close the connection for a variety of other
reasons, indicated using QUIC's CONNECTION_CLOSE. Client and servers reasons, indicated using QUIC's CONNECTION_CLOSE. Client and servers
that send packets over a connection discarded by their peer MAY that send packets over a connection discarded by their peer MAY
receive a stateless reset indication. If a connection fails, all receive a stateless reset indication. If a connection fails, all the
queries in progress over the connection MUST be considered failed, in progress transaction on that connection MUST be abandoned.
and a Server Failure (SERVFAIL, [RFC1035]) SHOULD be notified to the
initiator of the transaction.
5.5. Session Resumption and 0-RTT 5.5. Session Resumption and 0-RTT
A client MAY take advantage of the session resumption mechanisms A client MAY take advantage of the session resumption mechanisms
supported by QUIC transport [RFC9000] and QUIC TLS [RFC9001]. supported by QUIC transport [RFC9000] and QUIC TLS [RFC9001].
Clients SHOULD consider potential privacy issues associated with Clients SHOULD consider potential privacy issues associated with
session resumption before deciding to use this mechanism. These session resumption before deciding to use this mechanism. These
privacy issues are detailed in Section 9.2 and Section 9.1, and the privacy issues are detailed in Section 9.2 and Section 9.1, and the
implementation considerations are discussed in Section 6.5.3. implementation considerations are discussed in Section 6.5.3.
The 0-RTT mechanism SHOULD NOT be used to send DNS requests that are The 0-RTT mechanism SHOULD NOT be used to send DNS requests that are
not "replayable" transactions. Our analysis so far shows that such not "replayable" transactions. In this specification, only
replayable transactions can only be QUERY requests, although we may transactions that have an OPCODE of QUERY or NOTIFY are considered
need to also consider NOTIFY requests once the analysis of NOTIFY replayable and MAY be sent in 0-RTT data. See Appendix A for a
services is complete, see Appendix A. detailed discussion of why NOTIFY is included here.
Servers MUST NOT execute non replayable transactions received in Servers MUST NOT execute non replayable transactions received in
0-RTT data. Servers MUST adopt one of the following behaviors: 0-RTT data. Servers MUST adopt one of the following behaviors:
* Queue the offending transaction and only execute it after the QUIC * Queue the offending transaction and only execute it after the QUIC
handshake has been completed, as defined in section 4.1.1 of handshake has been completed, as defined in Section 4.1.1 of
[RFC9001]. [RFC9001].
* Reply to the offending transaction with a response code REFUSED * Reply to the offending transaction with a response code REFUSED
and an Extended DNS Error Code (EDE) "Too Early", see and an Extended DNS Error Code (EDE) "Too Early", see
Section 10.3. Section 10.3.
* Close the connection with the error code DOQ_PROTOCOL_ERROR. * Close the connection with the error code DOQ_PROTOCOL_ERROR.
For the zone transfer scenario, it would be possible to replay an XFR
QUERY that had been sent in 0-RTT data. However the authentication
mechanisms described in RFC9103 ("Zone transfer over TLS") will
ensure that the response is not sent by the primary until the
identity of the secondary has been verified i.e. the first behavior
listed above.
5.6. Message Sizes 5.6. Message Sizes
DoQ Queries and Responses are sent on QUIC streams, which in theory DoQ Queries and Responses are sent on QUIC streams, which in theory
can carry up to 2^62 bytes. However, DNS messages are restricted in can carry up to 2^62 bytes. However, DNS messages are restricted in
practice to a maximum size of 65535 bytes. This maximum size is practice to a maximum size of 65535 bytes. This maximum size is
enforced by the use of a two-octet message length field in DNS over enforced by the use of a two-octet message length field in DNS over
TCP [RFC1035] and DNS over TLS [RFC7858], and by the definition of TCP [RFC1035] and DNS over TLS [RFC7858], and by the definition of
the "application/dns-message" for DNS over HTTP [RFC8484]. DoQ the "application/dns-message" for DNS over HTTP [RFC8484]. DoQ
enforces the same restriction. enforces the same restriction.
skipping to change at page 13, line 9 skipping to change at page 13, line 30
authentication profile. Client authentication for the encrypted stub authentication profile. Client authentication for the encrypted stub
to recursive scenario is not described in any DNS RFC. to recursive scenario is not described in any DNS RFC.
For zone transfer, the requirements are the same as described in For zone transfer, the requirements are the same as described in
[RFC9103]. [RFC9103].
For the recursive resolver to authoritative nameserver scenario, For the recursive resolver to authoritative nameserver scenario,
authentication requirements are unspecified at the time of writing authentication requirements are unspecified at the time of writing
and are the subject on ongoing work in the DPRIVE WG. and are the subject on ongoing work in the DPRIVE WG.
6.2. Fall Back to Other Protocols on Connection Failure 6.2. Fallback to Other Protocols on Connection Failure
If the establishment of the DoQ connection fails, clients MAY attempt If the establishment of the DoQ connection fails, clients MAY attempt
to fall back to DoT and then potentially clear text, as specified in to fall back to DoT and then potentially clear text, as specified in
DoT [RFC7858] and "Usage Profiles for DNS over TLS and DNS over DTLS" DoT [RFC7858] and "Usage Profiles for DNS over TLS and DNS over DTLS"
[RFC8310], depending on their privacy profile. [RFC8310], depending on their privacy profile.
DNS clients SHOULD remember server IP addresses that don't support DNS clients SHOULD remember server IP addresses that don't support
DoQ, including timeouts, connection refusals, and QUIC handshake DoQ. Timeouts, connection refusals, and QUIC handshake failures are
failures, and not request DoQ from them for a reasonable period (such valid indicators that a server does not support DoQ. Clients SHOULD
as one hour per server). DNS clients following an out-of-band key- NOT attempt DoQ queries to a server that does not support DoQ for a
pinned privacy profile ([RFC7858]) MAY be more aggressive about reasonable period (such as one hour per server). DNS clients
retrying DoQ connection failures. following an out-of-band key-pinned privacy profile ([RFC7858]) MAY
be more aggressive about retrying DoQ connection failures.
6.3. Address Validation 6.3. Address Validation
Section 8 of the QUIC transport specification [RFC9000] defines Section 8 of [RFC9000], the QUIC transport specification, defines
Address Validation procedures to avoid servers being used in address Address Validation procedures to avoid servers being used in address
amplification attacks. DoQ implementations MUST conform to this amplification attacks. DoQ implementations MUST conform to this
specification, which limits the worst case amplification to a factor specification, which limits the worst case amplification to a factor
3. 3.
DoQ implementations SHOULD consider configuring servers to use the DoQ implementations SHOULD consider configuring servers to use the
Address Validation using Retry Packets procedure defined in section Address Validation using Retry Packets procedure defined in
8.1.2 of the QUIC transport specification [RFC9000]). This procedure Section 8.1.2 of [RFC9000], the QUIC transport specification. This
imposes a 1-RTT delay for verifying the return routability of the procedure imposes a 1-RTT delay for verifying the return routability
source address of a client, similar to the DNS Cookies mechanism of the source address of a client, similar to the DNS Cookies
[RFC7873]. mechanism [RFC7873].
DoQ implementations that configure Address Validation using Retry DoQ implementations that configure Address Validation using Retry
Packets SHOULD implement the Address Validation for Future Packets SHOULD implement the Address Validation for Future
Connections procedure defined in section 8.1.3 of the QUIC transport Connections procedure defined in Section 8.1.3 of [RFC9000], the QUIC
specification [RFC9000]). This defines how servers can send NEW transport specification. This defines how servers can send NEW_TOKEN
TOKEN frames to clients after the client address is validated, in frames to clients after the client address is validated, in order to
order to avoid the 1-RTT penalty during subsequent connections by the avoid the 1-RTT penalty during subsequent connections by the client
client from the same address. from the same address.
6.4. Padding 6.4. Padding
Implementations SHOULD protect against the traffic analysis attacks Implementations SHOULD protect against the traffic analysis attacks
described in Section 9.4 by the judicious injection of padding. This described in Section 9.5 by the judicious injection of padding. This
could be done either by padding individual DNS messages using the could be done either by padding individual DNS messages using the
EDNS(0) Padding Option [RFC7830] and by padding QUIC packets (see EDNS(0) Padding Option [RFC7830] and by padding QUIC packets (see
Section 8.6 of the QUIC transport specification [RFC9000]). Section 8.6 of [RFC9000], the QUIC transport specification.
In theory, padding at the QUIC level could result in better In theory, padding at the QUIC level could result in better
performance for the equivalent protection, because the amount of performance for the equivalent protection, because the amount of
padding can take into account non-DNS frames such as acknowledgeemnts padding can take into account non-DNS frames such as acknowledgeemnts
or flow control updates, and also because QUIC packets can carry or flow control updates, and also because QUIC packets can carry
multiple DNS messages. However, applications can only control the multiple DNS messages. However, applications can only control the
amount of padding in QUIC packets if the implementation of QUIC amount of padding in QUIC packets if the implementation of QUIC
exposes adequate APIs. This leads to the following recommendation: exposes adequate APIs. This leads to the following recommendation:
* if the implementation of QUIC exposes APIs to set a padding * if the implementation of QUIC exposes APIs to set a padding
skipping to change at page 14, line 29 skipping to change at page 15, line 9
* if padding at the QUIC level is not available or not used, DNS * if padding at the QUIC level is not available or not used, DNS
over QUIC MUST ensure that all DNS queries and responses are over QUIC MUST ensure that all DNS queries and responses are
padded to a small set of fixed sizes, using the EDNS padding padded to a small set of fixed sizes, using the EDNS padding
extension as specified in "Padding Policies for Extension extension as specified in "Padding Policies for Extension
Mechanisms for DNS (EDNS(0))" [RFC8467]. Mechanisms for DNS (EDNS(0))" [RFC8467].
6.5. Connection Handling 6.5. Connection Handling
"DNS Transport over TCP - Implementation Requirements" [RFC7766] "DNS Transport over TCP - Implementation Requirements" [RFC7766]
provides updated guidance on DNS over TCP, some of which is provides updated guidance on DNS over TCP, some of which is
applicable to DoQ. This section attempts to specify which and how applicable to DoQ. This section provides similar advice on
those considerations apply to DoQ. connection handling for DoQ.
6.5.1. Connection Reuse 6.5.1. Connection Reuse
Historic implementations of DNS clients are known to open and close Historic implementations of DNS clients are known to open and close
TCP connections for each DNS query. To avoid excess QUIC TCP connections for each DNS query. To amortise connection setup
connections, each with a single query, clients SHOULD reuse a single costs, both clients and servers SHOULD support connection reuse by
QUIC connection to the recursive resolver. sending multiple queries and responses over a single persistent QUIC
connection.
In order to achieve performance on par with UDP, DNS clients SHOULD In order to achieve performance on par with UDP, DNS clients SHOULD
send their queries concurrently over the QUIC streams on a QUIC send their queries concurrently over the QUIC streams on a QUIC
connection. That is, when a DNS client sends multiple queries to a connection. That is, when a DNS client sends multiple queries to a
server over a QUIC connection, it SHOULD NOT wait for an outstanding server over a QUIC connection, it SHOULD NOT wait for an outstanding
reply before sending the next query. reply before sending the next query.
6.5.2. Resource Management and Idle Timeout Values 6.5.2. Resource Management
Proper management of established and idle connections is important to Proper management of established and idle connections is important to
the healthy operation of a DNS server. An implementation of DoQ the healthy operation of a DNS server.
SHOULD follow best practices similar to those specified for DNS over
TCP [RFC7766], in particular with regard to:
* Concurrent Connections (Section 6.2.2) An implementation of DoQ SHOULD follow best practices similar to
* Security Considerations (Section 10) those specified for DNS over TCP [RFC7766], in particular with regard
to:
* Concurrent Connections (Section 6.2.2 of [RFC7766], updated by
Section 6.4 of [RFC9103])
* Security Considerations (Section 10 of [RFC7766])
Failure to do so may lead to resource exhaustion and denial of Failure to do so may lead to resource exhaustion and denial of
service. service.
Clients that want to maintain long duration DoQ connections SHOULD Clients that want to maintain long duration DoQ connections SHOULD
use the idle timeout mechanisms defined in Section 10.1 of the QUIC use the idle timeout mechanisms defined in Section 10.1 of [RFC9000],
transport specification [RFC9000]. Clients and servers MUST NOT send the QUIC transport specification. Clients and servers MUST NOT send
the edns-tcp-keepalive EDNS(0) Option [RFC7828] in any messages sent the edns-tcp-keepalive EDNS(0) Option [RFC7828] in any messages sent
on a DoQ connection (because it is specific to the use of TCP/TLS as on a DoQ connection (because it is specific to the use of TCP/TLS as
a transport). a transport).
This document does not make specific recommendations for timeout This document does not make specific recommendations for timeout
values on idle connections. Clients and servers should reuse and/or values on idle connections. Clients and servers should reuse and/or
close connections depending on the level of available resources. close connections depending on the level of available resources.
Timeouts may be longer during periods of low activity and shorter Timeouts may be longer during periods of low activity and shorter
during periods of high activity. during periods of high activity.
skipping to change at page 15, line 39 skipping to change at page 16, line 28
0-RTT will not incur latency penalties if new connections are 0-RTT will not incur latency penalties if new connections are
required for a query. required for a query.
Session resumption and 0-RTT data transmission create privacy risks Session resumption and 0-RTT data transmission create privacy risks
detailed in detailed in Section 9.2 and Section 9.1. The following detailed in detailed in Section 9.2 and Section 9.1. The following
recommendations are meant to reduce the privacy risks while enjoying recommendations are meant to reduce the privacy risks while enjoying
the performance benefits of 0-RTT data, with the restriction the performance benefits of 0-RTT data, with the restriction
specified in Section 5.5. specified in Section 5.5.
Clients SHOULD use resumption tickets only once, as specified in Clients SHOULD use resumption tickets only once, as specified in
Appendix C.4 to [RFC8446]. Clients could receive address validation Appendix C.4 to [RFC8446]. By default, clients SHOULD NOT use
tokens from the server using the NEW TOKEN mechanism; see section 8 session resumption if the client's connectivity has changed.
of [RFC9000]. The associated tracking risks are mentioned in
Section 9.3. Clients SHOULD only use the address validation tokens Clients could receive address validation tokens from the server using
when they are also using session resumption, thus avoiding additional the NEW_TOKEN mechanism; see Section 8 of [RFC9000]. The associated
tracking risks. tracking risks are mentioned in Section 9.3. Clients SHOULD only use
the address validation tokens when they are also using session
resumption, thus avoiding additional tracking risks.
Servers SHOULD issue session resumption tickets with a sufficiently Servers SHOULD issue session resumption tickets with a sufficiently
long life time (e.g., 6 hours), so that clients are not tempted to long life time (e.g., 6 hours), so that clients are not tempted to
either keep connection alive or frequently poll the server to renew either keep connection alive or frequently poll the server to renew
session resumption tickets. Servers SHOULD implement the anti-replay session resumption tickets. Servers SHOULD implement the anti-replay
mechanisms specified in section 8 of [RFC8446]. mechanisms specified in Section 8 of [RFC8446].
6.5.4. Controlling Connection Migration For Privacy
DoQ implementation might consider using the connection migration
features defined in Section 9 of [RFC9000]. These features enable
connections to continue operating as the client's connectivity
changes. As detailed in Section 9.4, these features trade off
privacy for latency. By default, clients SHOULD be configured to
prioritise privacy and start new sessions if their connectivity
changes.
6.6. Processing Queries in Parallel 6.6. Processing Queries in Parallel
As specified in Section 7 of "DNS Transport over TCP - Implementation As specified in Section 7 of [RFC7766] "DNS Transport over TCP -
Requirements" [RFC7766], resolvers are RECOMMENDED to support the Implementation Requirements", resolvers are RECOMMENDED to support
preparing of responses in parallel and sending them out of order. In the preparing of responses in parallel and sending them out of order.
DoQ, they do that by sending responses on their specific stream as In DoQ, they do that by sending responses on their specific stream as
soon as possible, without waiting for availability of responses for soon as possible, without waiting for availability of responses for
previously opened streams. previously opened streams.
6.7. Zone transfer 6.7. Zone transfer
[RFC9103] specifies zone transfer over TLS (XoT) and includes updates [RFC9103] specifies zone transfer over TLS (XoT) and includes updates
to [RFC1995] (IXFR), [RFC5936] (AXFR) and [RFC7766]. Considerations to [RFC1995] (IXFR), [RFC5936] (AXFR) and [RFC7766]. Considerations
relating to the re-use of XoT connections described there apply relating to the re-use of XoT connections described there apply
analogously to zone transfers performed using DoQ connections. For analogously to zone transfers performed using DoQ connections. For
example: example:
skipping to change at page 16, line 42 skipping to change at page 17, line 42
- pipeline such requests (if they pipeline XFR requests in - pipeline such requests (if they pipeline XFR requests in
general) and MAY intermingle them general) and MAY intermingle them
- send the response(s) for each request as soon as they are - send the response(s) for each request as soon as they are
available i.e. responses MAY be sent intermingled available i.e. responses MAY be sent intermingled
6.8. Flow Control Mechanisms 6.8. Flow Control Mechanisms
Servers and Clients manage flow control using the mechanisms defined Servers and Clients manage flow control using the mechanisms defined
in section 4 of [RFC9000]. These mechanisms allow clients and in Section 4 of [RFC9000]. These mechanisms allow clients and
servers to specify how many streams can be created, how much data can servers to specify how many streams can be created, how much data can
be sent on a stream, and how much data can be sent on the union of be sent on a stream, and how much data can be sent on the union of
all streams. For DNS over QUIC, controlling how many streams are all streams. For DNS over QUIC, controlling how many streams are
created allows servers to control how many new requests the client created allows servers to control how many new requests the client
can send on a given connection. can send on a given connection.
Flow control exists to protect endpoint resources. For servers, Flow control exists to protect endpoint resources. For servers,
global and per-stream flow control limits control how much data can global and per-stream flow control limits control how much data can
be sent by clients. The same mechanisms allow clients to control how be sent by clients. The same mechanisms allow clients to control how
much data can be sent by servers. Values that are too small will much data can be sent by servers. Values that are too small will
skipping to change at page 19, line 21 skipping to change at page 20, line 21
The 0-RTT data can be replayed by adversaries. That data may trigger The 0-RTT data can be replayed by adversaries. That data may trigger
queries by a recursive resolver to authoritative resolvers. queries by a recursive resolver to authoritative resolvers.
Adversaries may be able to pick a time at which the recursive Adversaries may be able to pick a time at which the recursive
resolver outgoing traffic is observable, and thus find out what name resolver outgoing traffic is observable, and thus find out what name
was queried for in the 0-RTT data. was queried for in the 0-RTT data.
This risk is in fact a subset of the general problem of observing the This risk is in fact a subset of the general problem of observing the
behavior of the recursive resolver discussed in "DNS Privacy behavior of the recursive resolver discussed in "DNS Privacy
Considerations" [RFC9076]. The attack is partially mitigated by Considerations" [RFC9076]. The attack is partially mitigated by
reducing the observability of this traffic. However, the risk is reducing the observability of this traffic. The mandatory replay
amplified for 0-RTT data, because the attacker might replay it at protection mechanisms in TLS 1.3 [RFC8446] limit but do not eliminate
chosen times, several times. the risk of replay. 0-RTT packets can only be replayed within a
narrow window, which is only wide enough to account for variations in
clock skew and network transmission.
The recommendation for TLS 1.3 [RFC8446] is that the capability to The recommendation for TLS 1.3 [RFC8446] is that the capability to
use 0-RTT data should be turned off by default, and only enabled if use 0-RTT data should be turned off by default, and only enabled if
the user clearly understands the associated risks. In our case, the user clearly understands the associated risks. In our case,
allowing 0-RTT data provides significant performance gains, and we allowing 0-RTT data provides significant performance gains, and we
are concerned that a recommendation to not use it would simply be are concerned that a recommendation to not use it would simply be
ignored. Instead, we provide a set of practical recommendations in ignored. Instead, we provide a set of practical recommendations in
Section 5.5 and Section 6.5.3. Section 5.5 and Section 6.5.3.
The prevention on allowing replayable transactions in 0-RTT data The prevention on allowing replayable transactions in 0-RTT data
expressed in Section 5.5 blocks the most obvious risks of replay expressed in Section 5.5 blocks the most obvious risks of replay
attacks, as it only allows for transactions that will not change the attacks, as it only allows for transactions that will not change the
long term state of the server. long term state of the server.
Attacks trying to assess the state of the cache are more powerful if
the attacker can choose the time at which the 0-RTT data will be
replayed. Such attacks are blocked if the server enforces single-use
tickets, or if the server implements a combination of Client Hello
recording and freshness checks, as specified in section 8 of
[RFC8446].
The attacks described above apply to the stub resolver to recursive The attacks described above apply to the stub resolver to recursive
resolver scenario, but similar attacks might be envisaged in the resolver scenario, but similar attacks might be envisaged in the
recursive resolver to authoritative resolver scenario, and the same recursive resolver to authoritative resolver scenario, and the same
mitigations apply. mitigations apply.
9.2. Privacy Issues With Session Resumption 9.2. Privacy Issues With Session Resumption
The QUIC session resumption mechanism reduces the cost of re- The QUIC session resumption mechanism reduces the cost of re-
establishing sessions and enables 0-RTT data. There is a linkability establishing sessions and enables 0-RTT data. There is a linkability
issue associated with session resumption, if the same resumption issue associated with session resumption, if the same resumption
skipping to change at page 20, line 41 skipping to change at page 21, line 32
reduced latency provided by session resumption and may consider this reduced latency provided by session resumption and may consider this
a valid reason to use resumption tickets even if the IP address a valid reason to use resumption tickets even if the IP address
changed between sessions. changed between sessions.
Encrypted zone transfer (RFC9103) explicitly does not attempt to hide Encrypted zone transfer (RFC9103) explicitly does not attempt to hide
the identity of the parties involved in the transfer, but at the same the identity of the parties involved in the transfer, but at the same
time such transfers are not particularly latency sensitive. This time such transfers are not particularly latency sensitive. This
means that applications supporting zone transfers may decide to apply means that applications supporting zone transfers may decide to apply
the same protections as stub to recursive applications. the same protections as stub to recursive applications.
9.3. Privacy Issues With New Tokens 9.3. Privacy Issues With Address Validation Tokens
QUIC specifies address validation mechanisms in section 8 of QUIC specifies address validation mechanisms in Section 8 of
[RFC9000]. Use of an address validation token allows QUIC servers to [RFC9000]. Use of an address validation token allows QUIC servers to
avoid an extra RTT for new connections. Address validation tokens avoid an extra RTT for new connections. Address validation tokens
are typically tied to an IP address. QUIC clients normally only use are typically tied to an IP address. QUIC clients normally only use
these tokens when setting a new connection from a previously used these tokens when setting a new connection from a previously used
address. However, due to the prevalence of NAT, clients are not address. However, due to the prevalence of NAT, clients are not
always aware that they are using a new address. There is a always aware that they are using a new address. There is a
linkability risk if clients mistakenly use address validation tokens linkability risk if clients mistakenly use address validation tokens
after unknowingly moving to a new location. after unknowingly moving to a new location.
The recommendations in Section 6.5.3 mitigates this risk by tying the The recommendations in Section 6.5.3 mitigates this risk by tying the
usage of the NEW TOKEN to that of session resumption. usage of the NEW_TOKEN to that of session resumption.
9.4. Traffic Analysis 9.4. Privacy Issues With Long Duration Sessions
A potential alternative to session resumption is the use of long
duration sessions: if a session remains open for a long time, new
queries can be sent without incurring connection establishment
delays. It is worth pointing out that the two solutions have similar
privacy characteristics. Session resumption may allow servers to
keep track of the IP addresses of clients, but long duration sessions
have the same effect.
In particular, a DoQ implementation might take advantage of the
connection migration features of QUIC to maintain a session even if
the client's connectivity changes, for example if the client migrates
from a Wi-Fi connection to a cellular network connection, and then to
another Wi-Fi connection. The server would be able to track the
client location by monitoring the succession of IP addresses used by
the long duration connection.
The recommendation in Section 6.5.4 mitigates the privacy concerns
related to long duration sessions using multiple client addresses.
9.5. Traffic Analysis
Even though QUIC packets are encrypted, adversaries can gain Even though QUIC packets are encrypted, adversaries can gain
information from observing packet lengths, in both queries and information from observing packet lengths, in both queries and
responses, as well as packet timing. Many DNS requests are emitted responses, as well as packet timing. Many DNS requests are emitted
by web browsers. Loading a specific web page may require resolving by web browsers. Loading a specific web page may require resolving
dozen of DNS names. If an application adopts a simple mapping of one dozen of DNS names. If an application adopts a simple mapping of one
query or response per packet, or "one QUIC STREAM frame per packet", query or response per packet, or "one QUIC STREAM frame per packet",
then the succession of packet lengths may provide enough information then the succession of packet lengths may provide enough information
to identify the requested site. to identify the requested site.
skipping to change at page 21, line 32 skipping to change at page 22, line 50
10. IANA Considerations 10. IANA Considerations
10.1. Registration of DoQ Identification String 10.1. Registration of DoQ Identification String
This document creates a new registration for the identification of This document creates a new registration for the identification of
DoQ in the "Application Layer Protocol Negotiation (ALPN) Protocol DoQ in the "Application Layer Protocol Negotiation (ALPN) Protocol
IDs" registry [RFC7301]. IDs" registry [RFC7301].
The "doq" string identifies DoQ: The "doq" string identifies DoQ:
Protocol: DoQ Protocol: DoQ
Identification Sequence: 0x64 0x6F 0x71 ("doq")
Specification: This document Identification Sequence: 0x64 0x6F 0x71 ("doq")
Specification: This document
10.2. Reservation of Dedicated Port 10.2. Reservation of Dedicated Port
Port 853 is currently reserved for 'DNS query-response protocol run Port 853 is currently reserved for 'DNS query-response protocol run
over TLS/DTLS' [RFC7858]. However, the specification for DNS over over TLS/DTLS' [RFC7858]. However, the specification for DNS over
DTLS (DoD) [RFC8094] is experimental, limited to stub to resolver, DTLS (DoD) [RFC8094] is experimental, limited to stub to resolver,
and no implementations or deployments currently exist to our and no implementations or deployments currently exist to our
knowledge (even though several years have passed since the knowledge (even though several years have passed since the
specification was published). specification was published).
This specification proposes to additionally reserve the use of port This specification proposes to additionally reserve the use of port
853 for DoQ. QUIC was designed to be able to co-exist with other 853 for DoQ. QUIC was designed to be able to co-exist with other
protocols on the same port, including DTLS , see Section 17.2 in protocols on the same port, including DTLS , see Section 17.2 of
[RFC9000]. [RFC9000].
IANA is requested to add the following value to the "Service Name and IANA is requested to add the following value to the "Service Name and
Transport Protocol Port Number Registry" in the System Range. The Transport Protocol Port Number Registry" in the System Range. The
registry for that range requires IETF Review or IESG Approval registry for that range requires IETF Review or IESG Approval
[RFC6335]. [RFC6335].
Service Name dns-over-quic Service Name: dns-over-quic
Port Number 853
Transport Protocol(s) UDP Port Number: 853
Assignee IESG
Contact IETF Chair Transport Protocol(s): UDP
Description DNS query-response protocol run over QUIC
Reference This document Assignee: IESG
Contact: IETF Chair
Description: DNS query-response protocol run over QUIC
Reference: This document
10.2.1. Port number 784 for experimentations 10.2.1. Port number 784 for experimentations
(RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION) (RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION)
Early experiments MAY use port 784. This port is marked in the IANA Early experiments MAY use port 784. This port is marked in the IANA
registry as unassigned. registry as unassigned.
(Note that version in -02 of this draft experiments were directed to (Note that version in -02 of this draft experiments were directed to
use port 8853.) use port 8853.)
10.3. Reservation of Extended DNS Error Code Too Early 10.3. Reservation of Extended DNS Error Code Too Early
IANA is requested to add the following value to the Extended DNS IANA is requested to add the following value to the Extended DNS
Error Codes registry [RFC8914]: Error Codes registry [RFC8914]:
INFO-CODE TBD INFO-CODE: TBD
Purpose Too Early
Reference This document Purpose: Too Early
Reference: This document
10.4. DNS over QUIC Error Codes Registry 10.4. DNS over QUIC Error Codes Registry
IANA [SHALL add/has added] a registry for "DNS over QUIC Error Codes" IANA [SHALL add/has added] a registry for "DNS over QUIC Error Codes"
on the "Domain Name System (DNS) Parameters" web page. on the "Domain Name System (DNS) Parameters" web page.
The "DNS over QUIC Error Codes" registry governs a 62-bit space. The "DNS over QUIC Error Codes" registry governs a 62-bit space.
This space is split into three regions that are governed by different This space is split into three regions that are governed by different
policies: policies:
* Permanent registrations for values between 0x00 and 0x3f (in * Permanent registrations for values between 0x00 and 0x3f (in
hexadecimal; inclusive), which are assigned using Standards Action hexadecimal; inclusive), which are assigned using Standards Action
or IESG Approval as defined in Section 4.9 and 4.10 of [RFC8126] or IESG Approval as defined in Section 4.9 and Section 4.10 of
[RFC8126]
* Permanent registrations for values larger than 0x3f, which are * Permanent registrations for values larger than 0x3f, which are
assigned using the Specification Required policy ([RFC8126]) assigned using the Specification Required policy ([RFC8126])
* Provisonal registrations for values larger than 0x3f, which * Provisonal registrations for values larger than 0x3f, which
require Expert Review, as defined in Section 4.5 of [RFC8126]. require Expert Review, as defined in Section 4.5 of [RFC8126].
Provisional reservations share the range of values larger than 0x3f Provisional reservations share the range of values larger than 0x3f
with some permanent registrations. This is by design, to enable with some permanent registrations. This is by design, to enable
conversion of provisional registrations into permanent registrations conversion of provisional registrations into permanent registrations
without requiring changes in deployed systems. (This design is without requiring changes in deployed systems. (This design is
aligned with the principles set in section 22 of [RFC9000].) aligned with the principles set in Section 22 of [RFC9000].)
Registrations in this registry MUST include the following fields: Registrations in this registry MUST include the following fields:
Value: The assigned codepoint. Value: The assigned codepoint.
Status: "Permanent" or "Provisional". Status: "Permanent" or "Provisional".
Contact: Contact details for the registrant. Contact: Contact details for the registrant.
Notes: Supplementary notes about the registration. Notes: Supplementary notes about the registration.
skipping to change at page 24, line 5 skipping to change at page 25, line 21
for another purpose. In addition to the parameters listed above, for another purpose. In addition to the parameters listed above,
provisional registrations MUST include: provisional registrations MUST include:
Date: The date of last update to the registration. Date: The date of last update to the registration.
A request to update the date on any provisional registration can be A request to update the date on any provisional registration can be
made without review from the designated expert(s). made without review from the designated expert(s).
The initial contents of this registry are shown in Table 1. The initial contents of this registry are shown in Table 1.
+=======+=======================+===================+===============+ +==========+=======================+================+===============+
| Value | Error | Description | Specification | |Value | Error |Description | Specification |
+=======+=======================+===================+===============+ +==========+=======================+================+===============+
| 0x0 | DOQ_NO_ERROR | No error | Section 5.3 | |0x0 | DOQ_NO_ERROR |No error | Section 5.3 |
+-------+-----------------------+-------------------+---------------+ +----------+-----------------------+----------------+---------------+
| 0x1 | DOQ_INTERNAL_ERROR | Implementation | Section 5.3 | |0x1 | DOQ_INTERNAL_ERROR |Implementation | Section 5.3 |
| | | error | | | | |error | |
+-------+-----------------------+-------------------+---------------+ +----------+-----------------------+----------------+---------------+
| 0x2 | DOQ_PROTOCOL_ERROR | Generic protocol | Section 5.3 | |0x2 | DOQ_PROTOCOL_ERROR |Generic protocol| Section 5.3 |
| | | violation | | | | |violation | |
+-------+-----------------------+-------------------+---------------+ +----------+-----------------------+----------------+---------------+
| 0x3 | DOQ_REQUEST_CANCELLED | Request | Section 5.3 | |0x3 | DOQ_REQUEST_CANCELLED |Request | Section 5.3 |
| | | cancelled by | | | | |cancelled by | |
| | | client | | | | |client | |
+-------+-----------------------+-------------------+---------------+ +----------+-----------------------+----------------+---------------+
|0x4 | DOQ_EXCESSIVE_LOAD |Closing a | Section 5.3 |
| | |connection for | |
| | |excessive load | |
+----------+-----------------------+----------------+---------------+
|0xd098ea5e| DOQ_ERROR_RESERVED |Alternative | Section 5.3 |
| | |error code used | |
| | |for tests | |
+----------+-----------------------+----------------+---------------+
Table 1: Initial DNS over QUIC Error Codes Entries Table 1: Initial DNS over QUIC Error Codes Entries
11. Acknowledgements 11. Acknowledgements
This document liberally borrows text from the HTTP-3 specification This document liberally borrows text from the HTTP-3 specification
[I-D.ietf-quic-http] edited by Mike Bishop, and from the DoT [I-D.ietf-quic-http] edited by Mike Bishop, and from the DoT
specification [RFC7858] authored by Zi Hu, Liang Zhu, John Heidemann, specification [RFC7858] authored by Zi Hu, Liang Zhu, John Heidemann,
Allison Mankin, Duane Wessels, and Paul Hoffman. Allison Mankin, Duane Wessels, and Paul Hoffman.
skipping to change at page 27, line 16 skipping to change at page 28, line 41
mailing list, 6 April 2016, <https://www.ietf.org/mail- mailing list, 6 April 2016, <https://www.ietf.org/mail-
archive/web/dns-privacy/current/msg01276.html>. archive/web/dns-privacy/current/msg01276.html>.
[I-D.ietf-quic-http] [I-D.ietf-quic-http]
Bishop, M., "Hypertext Transfer Protocol Version 3 Bishop, M., "Hypertext Transfer Protocol Version 3
(HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf-
quic-http-34, 2 February 2021, quic-http-34, 2 February 2021,
<https://www.ietf.org/archive/id/draft-ietf-quic-http- <https://www.ietf.org/archive/id/draft-ietf-quic-http-
34.txt>. 34.txt>.
[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996,
August 1996, <https://www.rfc-editor.org/info/rfc1996>.
[RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
Cheshire, "Internet Assigned Numbers Authority (IANA) Cheshire, "Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Service Name and Procedures for the Management of the Service Name and
Transport Protocol Port Number Registry", BCP 165, Transport Protocol Port Number Registry", BCP 165,
RFC 6335, DOI 10.17487/RFC6335, August 2011, RFC 6335, DOI 10.17487/RFC6335, August 2011,
<https://www.rfc-editor.org/info/rfc6335>. <https://www.rfc-editor.org/info/rfc6335>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205, Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016, RFC 7942, DOI 10.17487/RFC7942, July 2016,
skipping to change at page 28, line 5 skipping to change at page 29, line 32
October 2020, <https://www.rfc-editor.org/info/rfc8932>. October 2020, <https://www.rfc-editor.org/info/rfc8932>.
[RFC9002] Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection [RFC9002] Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection
and Congestion Control", RFC 9002, DOI 10.17487/RFC9002, and Congestion Control", RFC 9002, DOI 10.17487/RFC9002,
May 2021, <https://www.rfc-editor.org/info/rfc9002>. May 2021, <https://www.rfc-editor.org/info/rfc9002>.
[RFC9076] Wicinski, T., Ed., "DNS Privacy Considerations", RFC 9076, [RFC9076] Wicinski, T., Ed., "DNS Privacy Considerations", RFC 9076,
DOI 10.17487/RFC9076, July 2021, DOI 10.17487/RFC9076, July 2021,
<https://www.rfc-editor.org/info/rfc9076>. <https://www.rfc-editor.org/info/rfc9076>.
Appendix A. The NOTIFY service Appendix A. The NOTIFY Service
This appendix discusses the issue of allowing NOTIFY to be sent in This appendix discusses why it is considered acceptable to send
0-RTT data. NOTIFY (see [RFC1996]) in 0-RTT data.
Section Section 5.5 says "The 0-RTT mechanism SHOULD NOT be used to Section 5.5 says "The 0-RTT mechanism SHOULD NOT be used to send DNS
send DNS requests that are not "replayable" transactions", and requests that are not "replayable" transactions". This specification
suggests this is limited to OPCODE QUERY. It might also be viable to supports sending a NOTIFY in 0-RTT data because although a NOTIFY
propose that NOTIFY should be permitted in 0-RTT data because technically changes the state of the receiving server, the effect of
although it technically changes the state of the receiving server, replaying NOTIFYs has negligible impact in practice.
the effect of replaying NOTIFYs has negligible impact in practice.
NOTIFY messages prompt a secondary to either send an SOA query or an NOTIFY messages prompt a secondary to either send an SOA query or an
XFR request to the primary on the basis that a newer version of the XFR request to the primary on the basis that a newer version of the
zone is available. It has long been recognized that NOTIFYs can be zone is available. It has long been recognized that NOTIFYs can be
forged and, in theory, used to cause a secondary to send repeated forged and, in theory, used to cause a secondary to send repeated
unnecessary requests to the primary. For this reason, most unnecessary requests to the primary. For this reason, most
implementations have some form of throttling of the SOA/XFR queries implementations have some form of throttling of the SOA/XFR queries
triggered by the receipt of one or more NOTIFYs. triggered by the receipt of one or more NOTIFYs.
RFC9103 describes the privacy risks associated with both NOTIFY and [RFC9103] describes the privacy risks associated with both NOTIFY and
SOA queries and does not include addressing those risks within the SOA queries and does not include addressing those risks within the
scope of encrypting zone transfers. Given this, the privacy benefit scope of encrypting zone transfers. Given this, the privacy benefit
of using DoQ for NOTIFY is not clear - but for the same reason, of using DoQ for NOTIFY is not clear - but for the same reason,
sending NOTIFY as 0-RTT data has no privacy risk above that of sending NOTIFY as 0-RTT data has no privacy risk above that of
sending it using cleartext DNS. sending it using cleartext DNS.
Appendix B. Notable Changes From Previous Versions
(RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION)
B.1. Stream Mapping Incompatibility With Draft-02
Versions prior to -02 of this specification proposed a simpler
mapping scheme of queries and responses to QUIc stream, which omitted
the 2 byte length field and supported only a single response on a
given stream. The more complex mapping in Section 5.2 was adopted to
specifically cater for XFR support, however it breaks compatibility
with earlier versions.
Authors' Addresses Authors' Addresses
Christian Huitema Christian Huitema
Private Octopus Inc. Private Octopus Inc.
427 Golfcourse Rd 427 Golfcourse Rd
Friday Harbor, WA 98250 Friday Harbor, WA 98250
United States of America United States of America
Email: huitema@huitema.net Email: huitema@huitema.net
 End of changes. 80 change blocks. 
224 lines changed or deleted 326 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/